From: Ingo Molnar <mingo@elte.hu>
To: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: LKML <linux-kernel@vger.kernel.org>, Pekka Paalanen <pq@iki.fi>,
Stuart Bennett <stuart@freedesktop.org>,
Christoph Bumiller <e0425955@student.tuwien.ac.at>,
Shinpei KATO <shinpei@il.is.s.u-tokyo.ac.jp>,
nouveau@lists.freedesktop.org, x86@kernel.org
Subject: Re: [PATCH] kmmio/mmiotrace: fix double free of kmmio_fault_pages
Date: Mon, 7 Jun 2010 15:33:21 +0200 [thread overview]
Message-ID: <20100607133321.GA7562@elte.hu> (raw)
In-Reply-To: <20100605193301.GA2674@joi.lan>
* Marcin Slusarz <marcin.slusarz@gmail.com> wrote:
> On Sat, Jun 05, 2010 at 06:49:42PM +0200, Marcin Slusarz wrote:
> > After every iounmap mmiotrace has to free kmmio_fault_pages, but it
> > can't do it directly, so it defers freeing by RCU.
> >
> > It usually works, but when mmiotraced code calls ioremap-iounmap
> > multiple times without sleeping between (so RCU won't kick in and
> > start freeing) it can be given the same virtual address, so at
> > every iounmap mmiotrace will schedule the same pages for release.
> > Obviously it will explode on second free.
> >
> > Fix it by marking kmmio_fault_pages which are scheduled for release
> > and not adding them second time.
> >
>
> Attached patch for mmiotrace testing module allows to reliably reproduce
> the bug. It can be folded into the main patch.
>
> ---
> diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
> index 8565d94..5f0937b 100644
> --- a/arch/x86/mm/testmmiotrace.c
> +++ b/arch/x86/mm/testmmiotrace.c
> @@ -90,6 +90,19 @@ static void do_test(unsigned long size)
> iounmap(p);
> }
>
> +static void do_test2(void)
Please add a comment about what the test function achieves.
> +{
> + void __iomem *p;
> + int i;
> +
> + for (i = 0; i < 10; ++i) {
> + p = ioremap_nocache(mmio_address, 4096);
s/4096/PAGE_SIZE
> + if (p)
> + iounmap(p);
> + }
> + synchronize_rcu(); /* will freeing work? */
> +}
> +
> static int __init init(void)
> {
> unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
> @@ -104,6 +117,7 @@ static int __init init(void)
> "and writing 16 kB of rubbish in there.\n",
> size >> 10, mmio_address);
> do_test(size);
> + do_test2();
Please name the new function in a bit more meaningful way (such as
do_test_remap()).
Looks good, please send the full (folded back) patch anew, with Pekka's Ack in
place as well.
Thanks,
Ingo
prev parent reply other threads:[~2010-06-07 13:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-05 16:49 [PATCH] kmmio/mmiotrace: fix double free of kmmio_fault_pages Marcin Slusarz
[not found] ` <20100605164919.GA2816-OI9uyE9O0yo@public.gmane.org>
2010-06-05 17:29 ` Pekka Paalanen
2010-06-05 17:29 ` Pekka Paalanen
2010-06-05 19:33 ` Marcin Slusarz
2010-06-05 20:45 ` Pekka Paalanen
2010-06-07 13:33 ` Ingo Molnar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100607133321.GA7562@elte.hu \
--to=mingo@elte.hu \
--cc=e0425955@student.tuwien.ac.at \
--cc=linux-kernel@vger.kernel.org \
--cc=marcin.slusarz@gmail.com \
--cc=nouveau@lists.freedesktop.org \
--cc=pq@iki.fi \
--cc=shinpei@il.is.s.u-tokyo.ac.jp \
--cc=stuart@freedesktop.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.